Mitigating cyber-attacks by automatically coordinating responses from cyber-security tools

ABSTRACT

Cyber-attacks can be mitigated by automatically coordinating responses from cyber-security tools. For example, a cyber-security engine can include software modules created by multiple sources, each of the software modules being for integrating a respective cyber-security tool with the cyber-security engine. The cyber-security engine can use the software modules to communicate with the cyber-security tools in order to detect one or more events indicative of a cyber-attack against a computing environment. The cyber-security engine can then determine a coordinated-response strategy involving cooperation among the cyber-security tools to mitigate the cyber-attack. The cyber-security engine can transmit commands to the cyber-security tools to cause the cyber-security tools to implement the coordinated-response strategy.

REFERENCE TO RELATED APPLICATION

This is a continuation of co-pending U.S. patent application Ser. No.15/949,264, titled “Mitigating Cyber-Attacks By AutomaticallyCoordinating Responses From Cyber-Security Tools” and filed on Apr. 10,2018, the entirety of which is hereby incorporated by reference herein

TECHNICAL FIELD

The present disclosure relates generally to information security andintrusion detection. More specifically, but not by way of limitation,this disclosure relates to mitigating cyber-attacks by automaticallycoordinating responses from cyber-security tools.

BACKGROUND

Cyber-attacks are an ever increasing problem in today's digitallyconnected world. Cyber-attacks can take on a variety of forms, such asdenial of service (DoS) attacks; attacks involving viruses, Trojans,worms, or ransomware; and intrusion attempts. To combat cyber-attacks,organizations typically employ a large number of hardware- andsoftware-based cyber-security tools (e.g., firewalls, intrusiondetection systems, antivirus software, or any combination of these). Forexample, a single organization may employ 10-20 different cyber-securitytools to mitigate (e.g., prevent) cyber-attacks.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an example of a system for mitigatingcyber-attacks by automatically coordinating responses fromcyber-security tools according to some aspects.

FIG. 2 is a block diagram of another example of a system for mitigatingcyber-attacks by automatically coordinating responses fromcyber-security tools according to some aspects.

FIG. 3 is a block diagram of still another example of a system formitigating cyber-attacks by automatically coordinating responses fromcyber-security tools according to some aspects.

FIG. 4 is a flow chart of an example of a process for mitigatingcyber-attacks by automatically coordinating responses fromcyber-security tools according to some aspects.

DETAILED DESCRIPTION

A typical computer system will employ several, independentcyber-security tools that can detect a cyber-attack and attempt toimplement responses to the cyber-attack independently of one another.This can create a variety of problems. For example, the cyber-securitytools may attempt to respond to the cyber-attack in conflicting ways,which can may reduce the effectiveness of some or all of the responses.Alternatively, the cyber-security tools may attempt to respond to thecyber-attack in the same way, which can result in duplication of effortsthat unnecessarily consumes computing resources (e.g., RAM andprocessing cycles). Also, each cyber-security tool will only havelimited information about a particular aspect of the cyber-attack,rather than “big picture” information about the cyber-attack as a whole.This can result in the cyber-security tool implementing an inadequate(e.g., partial) response that fails to appreciate the scope andcomplexity of the cyber-attack. Further, typical cyber-security toolsare static and require frequent updates to detect ever-evolvingcyber-attacks. But ensuring that all of an organization's cyber-securitytools are constantly up-to-date is a time consuming, expensive, andchallenging process.

Some examples of the present disclosure can overcome one or more of theabovementioned issues by providing a cyber-security engine that canautomatically (i) interface with various cyber-security tools to detectone or more events indicative of a cyber-attack; (ii) determine acoordinated-response strategy to mitigate the cyber-attack; and (iii)implement the coordinated-response strategy by controlling and managingresponses from one or more cyber-security tools. This can help preventthe cyber-security tools from implementing conflicting, duplicate, orincomplete responses to the cyber-attack. In some examples, thecyber-security engine can also communicate with other cyber-securityengines (e.g., in other networks) to automatically (i) identify variousresponse strategies that have previously been implemented to mitigate aparticular type of cyber-attack; (ii) compare the various responsestrategies to determine which of the response strategies was the “best”according to one or more predefined criteria; and (iii) configure itselfto respond to a similar type of cyber-attack using the bestresponse-strategy. This process can be repeatedly performed to helpensure that the cyber-security engine implements the best response toevolving cyber-attacks. In some examples, the cyber-security engine caninclude a machine-learning model for analyzing a cyber-attack anddetermining a holistic response strategy. The machine-learning model mayevolve (“learn”) over time to enable the cyber-security engine to detectand mitigate new types of cyber-attacks.

As a particular example, a hacker may attempt to transmit a virusthrough an open port (e.g., port 8080) in an organization's network. Thenetwork may have antivirus software that detects the virus and transmitsan alert to the cyber-security engine. The cyber-security engine canreceive the alert and communicate with various other cyber-securitytools (e.g., an intrusion detection system) to determine moreinformation about the virus. Through this process, the cyber-securityengine may determine that the virus was transmitted from an unknownsource through port 8080. The cyber-security engine can then determine acoordinated-response strategy, for example, closing the open port anderasing the virus. Finally, the cyber-security engine can implement thecoordinated-response strategy by instructing a firewall to close theopen port and the antivirus software to erase the virus. In this manner,the cyber-security engine can provide a more complete, holistic responseto the cyber-attack than the antivirus software could implement alone.For example, by itself, the antivirus software would only erase thevirus, without closing the open port. This could leave the networkvulnerable to additional cyber-attacks by the hacker.

In the example discussed above, the cyber-security engine may determinethe coordinated-response strategy by communicating with othercyber-security engines in other networks (e.g., for otherorganizations). The cyber-security engine can communicate with the othercyber-security engines to determine how they have responded to similartypes of cyber-attacks in the past. For example, the cyber-securityengine can determine that one cyber-security engine responded to asimilar type of cyber-attack by (i) analyzing data-packet logs todetermine which data packets are associated with the virus, (ii)determining that those data packets originated from an IP address thatis unknown to the cyber-security engine, (iii) instructing a firewall tofilter data-packets from the IP address on port 8080, and (iv)instructing the antivirus software to erase the virus. Thecyber-security engine can also determine that another cyber-securityengine responded to a similar type of cyber-attack by (i) instructing afirewall to close port 8080, and (ii) instructing the antivirus softwareto erase the virus. The cyber-security engine can then compare one ormore characteristics of the responses. These characteristics can bereferred to as response characteristics. For example, the cyber-securityengine can determine that the two-step response takes significantly lessprocessing power, memory, and time to implement than the four-stepresponse. So, the cyber-security engine can select the two-step responseas the coordinated-response strategy.

In some examples, the cyber-security engine can select acoordinated-response strategy for a cyber-attack based at least in parton the characteristics of the computing environment (e.g., computer,network, or both) that the cyber-security engine is defending. Thesecharacteristics can be referred to as computing-environmentcharacteristics. For example, the cyber-security engine can determinethat no services in the computing environment are using port 8080, soport 8080 can be closed without negatively affecting any services. Basedon this determination, the cyber-security engine can select the two-stepresponse over the four-step response (discussed above). Alternatively,the cyber-security engine can determine that the computing environmenthas a service that is using port 8080, so port 8080 cannot be closedwithout negatively affecting the service. Based on this determination,the cyber-security engine can select the four-step response over thetwo-step response.

These illustrative examples are given to introduce the reader to thegeneral subject matter discussed here and are not intended to limit thescope of the disclosed concepts. The following sections describe variousadditional features and examples with reference to the drawings in whichlike numerals indicate like elements but, like the illustrativeexamples, should not be used to limit the present disclosure.

FIG. 1 is a block diagram of an example of a system 100 for mitigatingcyber-attacks by automatically coordinating responses fromcyber-security tools 106 a-b according to some aspects. The system 100includes a cyber-security engine 102, which can serve as a centralizedmedium for communicating with and controlling any number and combinationof cyber-security tools 106 a-b. The cyber-security engine 102 can be asoftware application executing on one or more computing devices in acomputing environment 104 for defending against a cyber-attack 122.

The cyber-security engine 102 can integrate with the cyber-securitytools 106 a-b through software modules 108 a-b. A software module can bea self-contained, installable module with computer-executable programcode for enabling the cyber-security engine 102 to integrate with aparticular cyber-security tool. The software modules 108 a-b can beproduced by various sources 112 a-b, such as different companies ororganizations. For example, a company that makes the cyber-security tool106 a can create the software module 108 a to enable the cyber-securitytool 106 a to be integrated with the cyber-security engine 102. Andanother company that makes another cyber-security tool 106 b can createthe software module 108 b to enable the other cyber-security tool 106 bto be integrated with the cyber-security engine 102. By having varioussources create the software modules 108 a-b (e.g., as opposed to havinga single entity create all of the software modules 108 a-b), better andfaster integration with a large number of cyber-security tools can beachieved.

In some examples, the software modules 108 a-b can be open source andprogrammed using the same programming language (e.g., an automationlanguage, like Ansible™). This can enable a community of developers toquickly and easily create, update, and debug the software modules 108a-b, thereby improving the number and quality of the software modules108 available. The software modules 108 may be stored in a centralizedrepository 110 (e.g., GitHub™), from which they can be downloaded (e.g.,via the Internet) and installed for use by cyber-security engine 102.

The software modules 108 a-b can interface with application programminginterfaces (APIs) 114 a-b of the cyber-security tools 106 a-b. The APIscan enable information to be communicated (e.g., bidirectionally)between the cyber-security tools 106 a-b and the software modules 108a-b. Each cyber-security tool can have an API for integrating with thecyber-security engine 102. For example, the cyber-security tool 106 acan have a Representational State Transfer (REST) API through which thecyber-security engine 102 can control the cyber-security tool 106 usingREST commands.

The software modules 108 a-b can translate commands and data betweenformats to enable the cyber-security engine 102 to communicate with thecyber-security tools 106 a-b. For example, the cyber-security tool 106 amay accept commands in a REST format and provide data in an extensiblemarkup language (XML) format. And the cyber-security tool 106 b mayaccept commands in a proprietary format and provide data in JavaScriptObject Notation (JSON) format. But the cyber-security engine 102 mayonly be able to transmit commands in a C++ syntax and digest data in acomma-separated format. So, the software modules 108 a-b can convertdata transmitted by the cyber-security tools 106 a-b from XML and JSON,respectively, into the comma-separated format digestible by thecyber-security engine 102. And the software modules 108 a-b can convertcommands from the cyber-security engine 102 into the REST format and theproprietary format, respectively, for use by the cyber-security tools106 a-b. In some examples, the software modules 108 a-b can include analgorithm or lookup table for translating commands and data betweenformats. For example, the software module 108 a can include a lookuptable that correlates commands from the cyber-security engine 102 intoREST commands for use by the cyber-security tool 106 a. And the othersoftware module 108 b can include a lookup table that correlatescommands from the cyber-security engine 102 into proprietary commandsfor use by the other cyber-security tool 106 b.

In some examples, the cyber-security engine 102 can use the softwaremodules 108 a-b to communicate with the cyber-security tools 106 a-b inorder to detect a cyber-attack 122. More specifically, thecyber-security engine 102 can receive and process data from thecyber-security tools 106 a-b to identify one or more events indicativeof a cyber-attack 122. Examples of events can include (i) networkevents, such as high bandwidth, connections from unknown or untrustedsources, improperly formed data-packets, or port scans; (ii) fileevents, such as copying, deleting, modifying, or locking files; (iii)administrative events, such as creating a user account, deleting a useraccount, or modifying privileges for a user account; (iv)computer-resource events, such as high processing-power consumption,high memory consumption, or high energy consumption; (v) error events,such as a buffer overflow or a suspicious number of incorrectauthentication attempts; or (vi) any combination of these. As aparticular example, the cyber-security tool 106 a can transmit anotification to the cyber-security engine 102 indicating that bandwidthconsumption is unusually high (e.g., higher than an average amount ofbandwidth consumption by a threshold amount). And the othercyber-security tool 106 b can transmit a notification to thecyber-security engine 102 indicating that an unusual pattern of copyingfiles has been detected. Individually, these notifications may seemgenerally innocuous. But the cyber-security engine 102 can determinethat the combination of these events may signal a cyber-attack, such asa hacker downloading a large volume of critical files from the computingenvironment 104.

The cyber-security engine 102 can detect a cyber-attack 122 using anynumber and combination of techniques. In some examples, thecyber-security engine 102 can detect a cyber-attack 122 using a database124 a. The database 124 a can be constructed by a cyber-securityprofessional, a system administrator, or another entity. In one example,the database 124 a can include relationships between events that aredetectable by various cyber-security tools 106 a-b and cyber-attacks. Inanother example, the database 124 a can include relationships betweenevents that are detectable by various cyber-security tools 106 a-b andscores. The cyber-security engine 102 may detect a cyber-attack 122 ifmultiple events have an aggregate score that surpasses a predefinedthreshold. For example, the scores may range between 1 and 100, withhigher scores being more indicative of a cyber-attack. An eventinvolving unusually high bandwidth consumption can have a score of 30.An event involving an unusual pattern of copying files can have a scoreof 40. The aggregate value of these scores is 30+40=70, which maysurpass a predefined threshold of 65 that is associated with acyber-attack. Based on the aggregate value surpassing 65, thecyber-security engine 102 can determine that a cyber-attack is occurringor has occurred.

In some examples, the cyber-security engine 102 can detect acyber-attack 122 using rules 118 a. The rules 118 a can includeconditional statements (e.g., IF, THEN, ELSE statements) or otherwiseexpress an ordered series of events that is associated with acyber-attack 122. The cyber-security engine 102 can digest the rules 118a and process data from the cyber-security tools 106 a-b to identify theordered series of events associated with the cyber-attack 122. In someexamples, the cyber-security engine 102 may construct the rules 118 a byanalyzing logs of prior cyber-attacks and finding correlations betweenvarious events and the cyber-attacks. Additionally or alternatively, therules 118 a can be constructed by a cyber-security professional, asystem administrator, or another entity.

In some examples, the cyber-security engine 102 can detect acyber-attack 122 using a machine-learning model 120 a. Examples of themachine-learning model 120 a can include a neural network, decisiontree, classifier, or any combination of these. The machine-learningmodel 120 a can be trained to determine correlations between variousevents and a cyber-attack 122. For example, the machine-learning model120 a can be trained using training data that includes thousands ormillions of relationships cyber-attacks and between various eventsdetectable by the cyber-security tools 106 a-b. The training data can besupplied as input to the machine-learning model 120 a, which can tunevarious weights (e.g., node weights) based on the training data. Thisprocess can be iterated until the machine-learning model 120 a iscapable of identifying a cyber-attack with an acceptable level ofaccuracy (e.g., 95% correct). After the machine-learning model 120 a hasbeen trained, the cyber-security engine 102 can receive informationabout various events from the cyber-security tools 106 a-b, feed theinformation into the machine-learning model 120 a, and receive as outputan indication of whether or not the events indicate a cyber-attack 122.

After detecting a cyber-attack 122, the cyber-security engine 102 candetermine a coordinated-response strategy to mitigate the cyber-attack122. A coordinated-response strategy can involve at least twocyber-security tools 106 a-b performing operations that are collectivelyconfigured to mitigate a single cyber-attack 122. These operations canbe referred to as mitigation operations. Examples of mitigationoperations can include (i) modifying, deleting, or quarantiningproblematic software, such as a virus, Trojan, worm, or ransomware; (ii)closing or opening a port; (iii) closing or opening a networkconnection; (iv) creating, deleting, or modifying a file; (v) creating auser account, deleting a user account, or modifying privileges for auser account; (vi) quarantining a portion of memory or a filesystem;(vii) applying an update or patch; (viii) changing a setting; or (ix)any combination of these.

The cyber-security engine 102 can determine the coordinated-responsestrategy based on one or more characteristics of the cyber-attack 122,which can be referred to as cyber-attack characteristics. Examples ofcyber-attack characteristics can include (i) a source of thecyber-attack; (ii) a type of the cyber-attack; (iii) program code or afile associated with the cyber-attack; (iv) a time and date of thecyber-attack; (v) steps or actions implemented to carry out thecyber-attack; or (vi) any combination of these.

The cyber-security engine 102 can determine a coordinated-responsestrategy using any number and combination of techniques. In someexamples, the cyber-security engine 102 can determine acoordinated-response strategy using a database 124 b. The database 124 bcan be constructed by a cyber-security professional, a systemadministrator, or another entity. The database 124 b can includerelationships between cyber-attack characteristics andcoordinated-response strategies. For example, the database 124 b caninclude various types of cyber-attacks, with each type of cyber-attackbeing correlated to at least one coordinated-response strategy. In someexamples, each type of cyber-attack can be correlated to multipledifferent coordinated-response strategies, from which the cyber-securityengine 102 can select a preferred coordinated-response strategy based onthe circumstances (e.g., the computing-environment characteristics; thecyber-attack characteristics, such as the type of the cyber-attack 122or the severity of the cyber-attack; or any combination of these).

In some examples, the cyber-security engine 102 can determine acoordinated-response strategy using rules 118 b. The rules 118 a caninclude conditional statements or otherwise express an ordered series ofsteps for determining a coordinated-response strategy. Thecyber-security engine 102 can digest and apply the rules 118 b to thecircumstances to determine the appropriate coordinated-responsestrategy. In some examples, the cyber-security engine 102 may constructthe rules 118 b by analyzing logs of prior cyber-attacks and responsestrategies used to mitigate the prior cyber-attacks. Additionally oralternatively, the rules 118 b can be constructed by a cyber-securityprofessional, a system administrator, or another entity.

In some examples, the cyber-security engine 102 can determine acoordinated-response strategy using a machine-learning model 120 b. Themachine-learning model 120 b can be trained to select among candidatecoordinated-response strategies based on the circumstances. For example,the machine-learning model 120 a can be trained using training data thatincludes thousands or millions of relationships between cyber-attackcharacteristics and coordinated-response strategies. The training datacan be supplied as input to the machine-learning model 120 b, which cantune various weights based on the training data. This process can beiterated until the machine-learning model 120 b is capable ofidentifying a preferred coordinated-response strategy with an acceptablelevel of accuracy (e.g., 95% correct). As another example, each piece oftraining data can include a relationship between (i) acomputing-environment characteristic, (ii) a cyber-attackcharacteristic, and (iii) preferred coordinated-response strategy. Themachine-learning model 120 b can then be trained using this more-complextraining data. After the machine-learning model 120 b has been trained,the cyber-security engine 102 can determine one or more cyber-attackcharacteristics (and, in some examples, one or morecomputing-environment characteristics), feed the characteristics intothe machine-learning model 120 b, and receive as output acoordinated-response strategy for mitigating the cyber-attack 122.

In one example in which there is little or no training data available,the cyber-security engine 102 can use the machine-learning model 120 bto analyze cyber-attack characteristics and select a candidateresponse-strategy for mitigating the cyber-attack. The cyber-securityengine 102 can then present the candidate response-strategy to a uservia a display device (e.g., a liquid crystal display). Thecyber-security engine 102 can receive user input via a user input device(e.g., a mouse, keyboard, or touchscreen) indicating whether thecandidate response-strategy is acceptable or unacceptable to the user.Based on the user input, the cyber-security engine 102 can configure themachine-learning model 120 b to improve accuracy. For example, thecyber-security engine 103 can configure one or more parameters of themachine-learning model 120 b based on the user input. In some examples,if the user input indicates that the candidate response-strategy isunacceptable, the machine-learning model 120 b can select and present analternative candidate response-strategy to the user. This process can berepeated until the machine-learning model 120 b identifies an acceptableresponse-strategy. The machine-learning model 120 b can then beconfigured to correlate the cyber-attack characteristics with theacceptable response-strategy. The above process can be iterated for awide variety of cyber-attack characteristics and response strategies toteach the machine-learning model 120 b how to select an appropriatecoordinated-response strategy for the circumstances.

Next, the cyber-security engine 102 can cause the coordinated-responsestrategy to be implemented. For example, the cyber-security engine 102can transmit commands to the cyber-security tools 106 a-b to cause thecyber-security tools 106 a-b to implement respective portions of thecoordinated-response strategy. For example, the cyber-security engine102 can transmit a command 116 to cyber-security tool 106 a to causecyber-security tool 106 a to close a port, close a network connection,quarantine a portion of memory (e.g., RAM or a hard disk), or erase afile.

The components shown in FIG. 1 are exemplary, and other examples caninclude more components, fewer components, different components, or adifferent combination of the components shown in FIG. 1. For example,although FIG. 1 shows two separate sets of rules 118 a-b, these may becombined into a single set of rules. As another example, although FIG. 1shows two separate machine-learning models 120 a-b, these may becombined into a single machine-learning model (e.g., capable ofperforming the functionality of both of the machine-learning models 120a-b). As still another example, although FIG. 1 shows two separatedatabases 124 a-b, these may be combined into a single database.Further, the system 100 can include any number and combination ofcyber-security tools for defending against any number and combination ofcyber-attacks. And the cyber-security engine 102 can include any numberand combination of software modules, created by any number andcombination of sources, for integrating with the cyber-security tools.

FIG. 2 is a block diagram of another example of a system 200 formitigating cyber-attacks by automatically coordinating responses fromcyber-security tools 106 a-i according to some aspects. The system 200includes a network 206 a being protected by a cyber-security engine 102a, another network 206 b being protected by another cyber-securityengine 102 b, and a computing environment 104 being protected by yetanother cyber-security engine 102 c. In some examples, the computingenvironment 104 is a network that is different from the other networks206 a-b.

The cyber-security engines 102 a-c can communicate with one another toshare information about cyber-attacks 122 a-c, responses to thecyber-attacks 122 a-c, or both. For example, cyber-security engine 102 acan transmit information about a new type of cyber-attack 122 a, acoordinated-response strategy for mitigating the new type ofcyber-attack 122 a, or both to the other cyber-security engine 102 c.The cyber-security engine 102 c can then configure itself to defendagainst the new type of cyber-attack 122 a based on the information. Forexample, cyber-security engine 102 c can add the information to thedatabase 124. Additionally or alternatively, the cyber-security engine102 c can train the machine-learning model 120 using the information.Sharing this information among the cyber-security engines 102 a-c canhelp them help combat new or evolving cyber-attacks.

In some examples, the cyber-security engine 102 c can determine andcompare how the other cyber-security engines 102 a-c responded to aparticular type of cyber-attack. For example, the cyber-security engine102 a may have responded to a particular type of cyber-attack 122 ausing one coordinated-response strategy. And the other cyber-securityengine 102 b may have responded to the same type of cyber-attack 122 busing another coordinated-response strategy. The cyber-security engine102 c can communicate with the other cyber-security engines 102 a-b todetermine the two coordinated-response strategies.

After determining the two coordinated-response strategies, thecyber-security engine 102 c can compare response characteristics of thecoordinated-response strategies to determine which coordinated-responsestrategy is superior. Examples of the response characteristics can be(i) the amount of time required to implement the coordinated-responsestrategy, (ii) the amount of processing power, memory, or electricalenergy required to implement the coordinated-response strategy; (iii)the effectiveness of the coordinated-response strategy; (iv) thehardware or software required to implement the coordinated-responsestrategy; or (v) any combination of these. The cyber-security engine 102c can determine that one coordinated-response strategy is superior toanother based on the circumstances, such as the computing-environmentcharacteristics, the cyber-attack characteristics, the responsecharacteristics, or any combination of these. For example, thecyber-security engine 102 c can compare the amount of time required toimplement each coordinated-response strategy and determine that thefaster of the two is superior. As another example, the cyber-securityengine 102 c can compare the amount of RAM required to implement eachcoordinated-response strategy and determine that the morememory-efficient of the two is superior. As another example, thecyber-security engine 102 c can determine that one of thecoordinated-response strategies requires particular software in order tobe implemented. And the computing environment 104 may lack theparticular software. So, the cyber-security engine 102 c can determinethat the other coordinated-response strategy is superior. Thecyber-security engine 102 c can use any number and combination ofcriteria (e.g., predefined or dynamic) to determine whichcoordinated-response strategy is superior.

In some examples, the cyber-security engine 102 c can configure itselfto use the superior coordinated-response strategy to respond to the sametype of cyber-attack 122 c. For example, the cyber-security engine 102 ccan include a machine-learning model 120. The machine-learning model 120can be trained to select the superior coordinated-response strategy foruse in responding to the cyber-attack 122 c. As another example, thecyber-security engine 102 c can configure a database 124 to correlatethe superior coordinated-response strategy with the cyber-attack 122 c.Then, if the same type of cyber-attack 122 c is launched against thecomputing environment 104, the cyber-security engine 102 c can selectand use the superior coordinated-response strategy to mitigate thecyber-attack 122 c.

The components shown in FIG. 2 are exemplary, and other examples caninclude more components, fewer components, different components, or adifferent combination of the components shown in FIG. 2. For example,the cyber-security engine 102 c can communicate with any number andcombination of other cyber-security engines, spread out across anynumber and combination of computing environments.

FIG. 3 is a block diagram of still another example of a system 300 formitigating cyber-attacks by automatically coordinating responses fromcyber-security tools 106 a-b according to some aspects. The system 300includes a processing device 302 communicatively coupled to a memorydevice 304. In some examples, the processing device 302 and the memorydevice 304 can be housed in a single device, such as a computing device.In other examples, the processing device 302 and the memory device 304can be distributed from one another.

The processing device 302 can include one processing device or multipleprocessing devices. Non-limiting examples of the processing device 302include a Field-Programmable Gate Array (FPGA), an application-specificintegrated circuit (ASIC), a microprocessor, etc. The processing device302 can execute instructions 306 stored in the memory device 304 toperform operations. In some examples, the instructions 306 can includeprocessor-specific instructions generated by a compiler or aninterpreter from code written in any suitable computer-programminglanguage, such as C, C++, C#, etc.

The memory device 304 can include one memory device or multiple memorydevices. The memory device 304 can be non-volatile and may include anytype of memory device that retains stored information when powered off.Non-limiting examples of the memory device 304 include electricallyerasable and programmable read-only memory (EEPROM), flash memory, orany other type of non-volatile memory. In some examples, at least someof the memory device can include a medium from which the processingdevice 302 can read instructions 306. In some examples, the instructions306 can be for a cyber-security engine 102. The cyber-security engine102 can include one or more software modules 108 a-b created by varioussources 112 a-b. In some examples, the memory device 304 can include anon-transitory computer-readable medium. A computer-readable medium caninclude electronic, optical, magnetic, or other storage devices capableof providing the processing device 302 with computer-readableinstructions or other program code. Examples of a computer-readablemedium include magnetic disk(s), memory chip(s), ROM, random-accessmemory (RAM), an ASIC, a configured processor, optical storage, or anyother medium from which a computer processor can read the instructions306.

The processing device 302 can obtain the software modules 108 a-b (e.g.,from the sources 112 a-b) and configure the software modules 108 a-b foruse with the cyber-security engine 102. This can involve installing thesoftware modules 108 a-b or integrating the software modules 108 a-binto the cyber-security engine 102. The processing device 302 may thenbe able to communicate with the cyber-security tools 106 a-b. Theprocessing device 302 can communicate with the cyber-security tools 106a-b and, using the cyber-security engine 102, to detect one or moreevents indicative of a cyber-attack 122 against a computing environment104. In response to detecting the one or more events indicative of acyber-attack 122, the processing device 302 can use the cyber-securityengine 102 to determine a coordinated-response strategy 308 formitigating the cyber-attack 122. The processing device 302 can thenimplement the coordinated-response strategy 307 by transmitting commands116 a-b to the cyber-security tools 106 a-b.

FIG. 4 is a flow chart of an example of a process for mitigatingcyber-attacks by automatically coordinating responses fromcyber-security tools according to some aspects. Other examples caninclude more steps, fewer steps, different steps, or a different orderof the steps than are depicted in FIG. 4. The steps of FIG. 4 aredescribed with reference to the components discussed above with regardto FIG. 3.

In block 402, a processing device 302 receives multiple software modules108 a-b created by multiple sources 112 a-b. Each software module can befor integrating a respective cyber-security tool among multiplecyber-security tools 106 a-b with the cyber-security engine 102. Forexample, each software module can have computer-executable program codethat is specifically designed to work with an API of a particularcyber-security tool. The processing device 302 can receive the softwaremodules 108 a-b from a central repository, directly or indirectly fromthe sources 112 a-b, etc.

In block 404, the processing device 302 configures the multiple softwaremodules 108 a-b for use with the cyber-security engine 102 to enable thecyber-security engine 102 to communicate with the multiplecyber-security tools 106 a-b. Configuring the software modules 108 a-bcan involve installing the software modules 108 a-b, setting one or moreflags or adjusting one or more parameters in the cyber-security engine102, storing the software modules 108 a-b at a particular location in afilesystem, or any combination of these.

In block 406, the processing device 302 detects one or more eventsindicative of a cyber-attack 122 against a computing environment 104using the multiple software modules 108 a-b to communicate with themultiple cyber-security tools 106 a-b. For example, the processingdevice 302 can receive communications (e.g., alerts or notifications)from the cyber-security tools 106 a-b. The processing device 302 canthen use the software modules 108 a-b to translate the communicationsinto a format that is capable of being analyzed using the cyber-securityengine 102. The processing device 302 can then use the cyber-securityengine 102 (e.g., a machine-learning model or database of thecyber-security engine 102) to analyze the translated communications andthereby determine that translated communications indicate the one ormore events.

In block 408, the processing device 302 determines acoordinated-response strategy 308 in response to detecting the one ormore events indicative of the cyber-attack 122. The coordinated-responsestrategy 308 can involve cooperation among the cyber-security tools 106a-b to mitigate the cyber-attack 122. In some examples, the processingdevice 302 can use a database, a machine-learning model, rules, or anycombination of these to determine the coordinated-response strategy 308.The processing device 302 may determine the coordinated-responsestrategy 308 based on the computing-environment characteristics, thecyber-attack characteristics, or both.

In some examples, determining the coordinated-response strategy 308 caninvolve selecting a particular cyber-security tool 106 a to perform amitigation operation from among several cyber-security tools 106 a-bthat are capable of performing the mitigation operation. For example,the computing environment 104 can have three cyber-security tools thatare all antivirus software. Each piece of antivirus software cangenerally have a different purpose, but they may all be capable oferasing a particular type of virus. If the cyber-attack 122 involves theparticular type of virus, part of determining the coordinated-responsestrategy 308 can involve selecting which of the pieces of antivirussoftware to use to erase the virus. In some examples, the processingdevice 302 can compare cyber-security tools 106 a-b capable ofperforming a mitigation operation to determine which cyber-security toolcan perform the mitigation operation in a superior manner (e.g.,according to one or more predefined criteria). The processing device 302can then select the superior cyber-security tool to perform themitigation operation as part of the coordinated-response strategy. Forexample, the processing device 302 can determine that the cyber-securitytool 106 a can erase the particular type of virus faster, using lessmemory, using less processing power, or any combination of these, thanthe other cyber-security tool 106 b. So, the processing device 302 canselect the cyber-security tool 106 a to erase the virus as part of thecoordinated-response strategy.

In block 410, the processing device 302 transmits commands 116 a-b tothe multiple cyber-security tools 106 a-b. The commands 116 a-b can beconfigured to cause the cyber-security tools 106 a-b to implement thecoordinated-response strategy 308. For example, each command can cause acyber-security tool to implement one or more mitigation operations tocombat at least a portion of the cyber-attack 112. The commands 116 a-bcan be in any suitable format that is interpretable by thecyber-security tools 106 a-b.

The foregoing description of certain examples, including illustratedexamples, has been presented only for the purpose of illustration anddescription and is not intended to be exhaustive or to limit thedisclosure to the precise forms disclosed. Numerous modifications,adaptations, and uses thereof will be apparent to those skilled in theart without departing from the scope of the disclosure. And the examplesdisclosed herein can be combined or rearranged to yield additionalexamples.

The invention claimed is:
 1. A system comprising: a processing device; and a memory device including instructions that are executable by the processing device for causing the processing device to: detect one or more events associated with a cyber-attack against a computing environment by using a plurality of software modules to communicate with a plurality of cyber-security tools; in response to detecting the one or more events, determine a coordinated-response strategy by using a machine-learning model configured to analyze characteristics of the cyber-attack and determine the coordinated-response strategy from among a plurality of coordinated-response strategies based on the characteristics of the cyber-attack, the coordinated-response strategy involving cooperation among the plurality of cyber-security tools to mitigate the cyber-attack; and transmit commands to the plurality of cyber-security tools, the commands being configured to cause the plurality of cyber-security tools to implement the coordinated-response strategy.
 2. The system of claim 1, wherein each software module in the plurality of software modules has a source of creation that is different from other sources of creation associated with the other software modules in the plurality of software modules.
 3. The system of claim 1, wherein the coordinated-response strategy involves the plurality of cyber-security tools executing operations in a sequential order, and wherein the machine-learning model is configured to determine the sequential order of the operations based on the characteristics of the cyber-attack.
 4. The system of claim 1, wherein the machine-learning model includes a neural network.
 5. The system of claim 1, wherein the memory device further includes instructions that are executable by the processing device for causing the processing device to: determine that a first response-strategy was previously applied by a first cyber-security engine to mitigate the cyber-attack; determine that a second response-strategy was previously applied by a second cyber-security engine to mitigate the cyber-attack; determine that the first response-strategy is superior to the second response-strategy according to at least one predefined criterion; and based on determining that the first response-strategy is superior to the second response-strategy, train the machine-learning model to select the first response-strategy as the coordinated-response strategy rather than the second response-strategy.
 6. The system of claim 5, wherein the first cyber-security engine is for protecting a first network and the second cyber-security engine is for protecting a second network that is different from the first network.
 7. The system of claim 1, wherein the memory device further includes instructions that are executable by the processing device for causing the processing device to train the machine-learning model by iteratively: using the machine-learning model to analyze a particular cyber-attack and determine a candidate response-strategy for mitigating the particular cyber-attack; displaying information about the candidate response-strategy to a user via a display device; receiving user input indicating whether the candidate response-strategy is acceptable or unacceptable; and configuring one or more parameters of the machine-learning model in response to the user input.
 8. A method comprising: detecting, by a processing device, one or more events associated with a cyber-attack against a computing environment by using a plurality of software modules to communicate with a plurality of cyber-security tools; in response to detecting the one or more events, determining, by the processing device, a coordinated-response strategy by using a machine-learning model configured to analyze characteristics of the cyber-attack and determine the coordinated-response strategy from among a plurality of coordinated-response strategies based on the characteristics of the cyber-attack, the coordinated-response strategy involving cooperation among the plurality of cyber-security tools to mitigate the cyber-attack; and transmitting, by the processing device, commands to the plurality of cyber-security tools, the commands being configured to cause the plurality of cyber-security tools to implement the coordinated-response strategy.
 9. The method of claim 8, wherein each software module in the plurality of software modules was created by a respective source that is different from other sources that created the other software modules in the plurality of software modules.
 10. The method of claim 8, wherein the coordinated-response strategy involves the plurality of cyber-security tools executing operations in a sequential order, and wherein the machine-learning model determines the sequential order of the operations based on the characteristics of the cyber-attack.
 11. The method of claim 8, wherein the machine-learning model includes a neural network.
 12. The method of claim 8, further comprising: determining that a first response-strategy was previously applied by a first cyber-security engine to mitigate the cyber-attack; determining that a second response-strategy was previously applied by a second cyber-security engine to mitigate the cyber-attack; determining that the first response-strategy is superior to the second response-strategy according to at least one predefined criterion; and based on determining that the first response-strategy is superior to the second response-strategy, training the machine-learning model to select the first response-strategy as the coordinated-response strategy rather than the second response-strategy.
 13. The method of claim 12, wherein the first cyber-security engine is for protecting a first network and the second cyber-security engine is for protecting a second network that is different from the first network.
 14. The method of claim 8, further comprising training the machine-learning model by iteratively: using the machine-learning model to analyze a particular cyber-attack and determine a candidate response-strategy for mitigating the particular cyber-attack; displaying information about the candidate response-strategy to a user via a display device; receiving user input indicating whether the candidate response-strategy is acceptable or unacceptable; and configuring one or more parameters of the machine-learning model in response to the user input.
 15. A non-transitory computer-readable medium comprising program code that is executable by a processing device for causing the processing device to: detect one or more events associated with a cyber-attack against a computing environment by using a plurality of software modules created by a plurality of sources to communicate with a plurality of cyber-security tools; in response to detecting the one or more events, determine a coordinated-response strategy involving cooperation among the plurality of cyber-security tools to mitigate the cyber-attack; and transmit commands to the plurality of cyber-security tools, the commands being configured to cause the plurality of cyber-security tools to implement the coordinated-response strategy.
 16. The non-transitory computer-readable medium of claim 15, further including program code that is executable by the processing device for causing the processing device to determine the coordinated-response strategy by using a machine-learning model that is configured to analyze characteristics of the cyber-attack and determine the coordinated-response strategy from among a plurality of coordinated-response strategies based on the characteristics of the cyber-attack.
 17. The non-transitory computer-readable medium of claim 16, wherein the coordinated-response strategy involves the plurality of cyber-security tools executing operations in a sequential order, and wherein the machine-learning model is configured to determine the sequential order of the operations based on the characteristics of the cyber-attack.
 18. The non-transitory computer-readable medium of claim 16, further comprising program code that is executable by the processing device for causing the processing device to: determine that a first response-strategy was previously applied by a first cyber-security engine to mitigate the cyber-attack; determine that a second response-strategy was previously applied by a second cyber-security engine to mitigate the cyber-attack; determine that the first response-strategy is superior to the second response-strategy according to at least one predefined criterion; and based on determining that the first response-strategy is superior to the second response-strategy, train the machine-learning model to select the first response-strategy as the coordinated-response strategy rather than the second response-strategy.
 19. The non-transitory computer-readable medium of claim 18, wherein the first cyber-security engine is for protecting a first network and the second cyber-security engine is for protecting a second network that is different from the first network.
 20. The non-transitory computer-readable medium of claim 16, further comprising program code that is executable by the processing device for causing the processing device to train the machine-learning model by iteratively: using the machine-learning model to analyze a particular cyber-attack and determine a candidate response-strategy for mitigating the particular cyber-attack; displaying information about the candidate response-strategy to a user via a display device; receiving user input indicating whether the candidate response-strategy is acceptable or unacceptable; and configuring one or more parameters of the machine-learning model in response to the user input. 